Recent public reports by security researchers indicate that the built-in password manager in Microsoft Edge may load all saved passwords into the browser's process memory in plain text when the browser starts. Although Microsoft has reportedly said that this behaviour is “by design”, it is widely regarded as a significant cybersecurity risk to users.
While this does not mean that passwords can be stolen through normal web browsing, your passwords could be easily exposed if your device is already compromised, or if an attacker gains privileged access to a shared or public device on which you have saved passwords in the MS Edge browser password manager. In such cases, attackers have been shown to be able to use publicly available tools to extract your saved passwords.
To better protect your account and University information, please observe the following security recommendations:
- Do not rely on a browser's built-in password manager to store your NetID password.
- Never save your passwords in browsers on shared, public, or other people's devices.
- Enable multi-factor authentication (MFA) whenever it is available.
- Keep your device up to date with the latest security patches and ensure antivirus/endpoint protection software is enabled and updated.
You also take this opportunity to review whether your NetID password or other University-related account passwords have been saved in your browser. If so, you are strongly advised to remove them from the browser's password manager as a good security practice.
Stay vigilant and follow the recommendations above to help protect your account and University information.
If you need further information or assistance, please contact the IT HelpCentre (Tel: 2766 5900) or submit a request via the IT Online ServiceDesk.
